Solved

TROUBLE ACCESSING INTERNET THROUGH ROUTER

Posted on 2006-07-06
24
239 Views
Last Modified: 2010-04-17
Hi,

I am trying to configure a router so that can hosts behind it can use as there gateway to reach the internet. The diagram of the network can be seen at www.virgoletta.com/network/. I am trying to allow PC 2 access to the internet which is located outside of the firewall. On the Boston Router I have a default route which points to the firewall. This default route works fine for the hosts which are located of Switch 2. However, I tried putting a default route on the New York router which will point to the s0/0 interface of the Boston Router, but the PC 2 and other hosts which are located on the Switch 1 do not have access to the internet. Also, I have two servers which can be seen on the diagram from PC 2 I have no access to them I cannot even ping them? What can I do?

  Thanks in advance,
 Vreyesii
0
Comment
Question by:vreyesii
  • 11
  • 7
  • 4
  • +1
24 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
On the boston router, do you have a route entry for 192.168.10.x network ? If not, add it;

Then try pinging a machine from pc2 and see if that helps.

Cheers,
Rajesh
0
 

Author Comment

by:vreyesii
Comment Utility
I already have a route for the 192.168.10.0 network on the Boston router and that did not help. I tried pinging both of the server and nothing. I able to ping 10.1.1.10 which is Boston e0/0 interface, and also Switch 2 and PC 3 but not anything else.

thank you,
vreyesii
0
 

Author Comment

by:vreyesii
Comment Utility
I already have a route for the 192.168.10.0 network on the Boston router and that did not help. I tried pinging both of the server and nothing. I able to ping 10.1.1.10 which is Boston e0/0 interface, and also Switch 2 and PC 3 but not anything else.

thank you,
vreyesii
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ok, I guess time for the config :-) Can you post both newyork and boston configs ?

Lemme ask you this, are you able to ping 10.1.1.1 ? Since you are able to ping 10.1.1.10. I would assume you will be able to do the firewall as well, if you have a route back to 192.168.10.x network in the firewall as well. Do you have one ?

Cheers,
Rajesh
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Can PC 2 ping 10.1.1.16?
Can PC 2 ping 10.1.1.1?
0
 

Author Comment

by:vreyesii
Comment Utility
To answer rsivanandan question I cannot ping 10.1.1.1. I do not believe that on the firewall I have a route back to the 192.168.10.0 network, I thought the firewall could not route. donjohnston from PC 2 I cannot ping 10.1.1.6 or 10.1.1.1 as I told rsivanandan.

Thank you,
vreyesii
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
I didn't ask if PC2 could ping 10.1.1.6. I asked if PC2 could ping 10.1.1.16
0
 

Author Comment

by:vreyesii
Comment Utility
Sorry about the misunderstanding, yes PC 2 can ping 10.1.1.16.

Thank you,
vreyesii
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Then the problem is most likely in the firewall. It's probably that the firewall doesn't have a route to the 192.168.10.0 network.
0
 

Author Comment

by:vreyesii
Comment Utility
ok I understand. how can I add a route on the pix, to the 192.168.10.0 network.

thank you,
vreyesii
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
vreyesii,
I would agree that you should check the pix for a route pointing back to the newyork subnet. try this "route inside <destination net> <mask> <gateway> 1" or in your case "route inside 192.168.10.0 255.255.255.0 10.1.1.10 1.  The 1 at the end is th nuber of hops from the pix to the router.
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
Although, I find it odd that you cannot ping the internal web servers also - the Pix routing should have nothing to do with this.  What do these web servers have as their default routes?  The PIX or the Boston router?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:vreyesii
Comment Utility
the default gateway that the web servers use is 10.1.1.1. I added the route to the pix that did not work.

thanks,
vreyesii
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
Did the internet access from newyork still fail, or just access to the web servers?
0
 

Author Comment

by:vreyesii
Comment Utility
Internet access from New York still is not working and I can't still ping the web servers. The only difference now is that I am able to ping 10.1.1.1(PIX).

thanks,
vreyesii
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
route inside 192.168.10.0 255.255.255.0 10.1.1.10
0
 

Author Comment

by:vreyesii
Comment Utility
Below are the routes which are configured on the PIX.

pixfirewall(config)# sh route
        outside 0.0.0.0 0.0.0.0 216.x.x.1 1 OTHER static
        inside 10.1.1.0 255.255.255.0 10.1.1.1 1 CONNECT static
        inside 192.168.10.0 255.255.255.0 10.1.1.10 1 OTHER static
        outside 216.x.x.0 255.255.255.0 216.x.x.85 1 CONNECT static

thanks,
vreyesii
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
Okay - another idea.  I assume from your diagram, your LANs are using private addressing, so you're probably using NAT to get out to the Internet.  Have you set up the PIX to perform NAT on the newyork LAN addresses?  With the NAT statements in the PIX you can either let all internal traffic get NATed outbound or specify particular subnets.  If you have a NAT statement in your config that explicitly references the Boston subnet, you will have to add in another NAT statement to allow the NewYork subnet also.

As for the web server access - most firewalls prevent routing packets out the same interface from where the packet originated.  In your case - with the web servers pointing to the PIX as a default route, they will send reply traffic to New York via the PIX.  The PIX will receive the return traffic from the servers on your inside interface, realize that the destination is also on the inside interface, and discard the packets.  To get around this, you can either reconfigure your web servers to point to the 10.1.1.10 router as their default gateway, or disable this feature on the internal interface.  Gimme a few here and I will try to look up how to do that.
0
 

Author Comment

by:vreyesii
Comment Utility
Alright, currently the PIX has "nat (inside) 1 10.1.1.0 255.255.255.0 0 0" so I have to add another states such as
"nat (inside) 1 192.168.10.0 255.255.255.0 0 0". By adding this statement into the PIX config wouldn't that replace the other nat (inside) statement.

thank you,
vreyesii
0
 
LVL 1

Accepted Solution

by:
bmanchee earned 500 total points
Comment Utility
Actually, the best bet would be to issue the command "nat (inside) 1 0 0".  This will replace your current NAT entry.  The 0's in the above statment are wildcards, and will allow all traffic from the inside interface to be NATed and forwarded out to the internet.  Your current nat statement explicitly only NATs the 10.1.1.0/24 subnet.
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
Also, issue a "clear xlate" command after changing the NAT configuration to reset the translation tables.
0
 

Author Comment

by:vreyesii
Comment Utility
Ok the hosts located on the New York router now have access to the internet. However, I have one more question. Why am I able to ping 10.1.1.1 but not ssh into it. I get an error which is "Network Error: Connection Refused". I need to have access to the PIX from the New York side.

thank you,
vreyesii
0
 
LVL 1

Expert Comment

by:bmanchee
Comment Utility
check your config for an "ssh <ip address> <mask> <interface>" line in it.  This specifies who can ssh into the PIX.  You may have to add another line siliar to the one you see with the NewYork subnet.
0
 

Author Comment

by:vreyesii
Comment Utility
Well, everything is working good. Thank you for all your help.

thanks again,
vreyesii
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now